After several years of consultations, committee hearings and draft proposals, the long foreshadowed reforms to Australian whistleblower legislation were finally passed by Parliament on 19 February 2019.

The combination of these aspects of reform will significantly increase the need for a review of a corporation’s risk register, as well as the probability of regulator action in a wider range of areas.

Various factors are contributing to increasing scrutiny of the conduct of corporate Australia. Community expectations are shifting, with consumers and users of corporate services demanding more accountability from directors and senior managers.

Most obviously, this attention is focused on highlighting any non-compliance with applicable laws, but the community is also increasingly wanting corporates to venture beyond compliance and to model ‘good behaviour’ across a range of issues.

More and more, businesses are having to address the question: ‘what does the social licence to operate require of us?’

In this article, we focus in particular on the amendments to the whistleblower legislation just passed by Parliament which aim to bring corporate (and in some instances, individual) misbehaviour to light.

In the year ahead, we also expect to see further change in a range of areas governing corporate conduct – and a press for the implementation of long-flagged changes to the foreign bribery and corruption offence.

Enhanced whistleblower protections

The Treasury Laws Amendment (Enhancing Whistleblower Protections) Bill 2019 (Cth) (Whistleblower Bill) was passed by Parliament, and generally takes effect from the first 1 January, 1 April, 1 July or 1 October to occur three months after the Bill receives Royal Assent. This could be as early as 1 July 2019.

It will impose significant, and we think, insufficiently appreciated compliance burdens, which we address below.

In 2018, the Bill was considered by the Senate Economics Committee and some changes were proposed, which have made their way through to the Bill. The Whistleblower Bill:

  • harmonises the various current whistleblower regimes under federal law;
  • expands the existing protections and remedies for whistleblowers; and
  • creates a whistleblower regime for tax-related misconduct and contraventions.

The amendments will apply to disclosures made on or commencement, and that relate to matters that occur or occurred before, on or after commencement.[1]Notably, some parts of the Whistleblower Bill (including matters relating to compensation and remedies) will apply retrospectively to disclosures that were made prior to commencement, so long as the disclosure was such that it would have been protected had the Whistleblower Bill been in force at the time.[2]

The Whistleblower Bill also:

  • requires public companies[3] and ‘large proprietary companies’[4] to have mandatory whistleblower policies, with mandatory content;[5]
  • facilitates the making of protected disclosures about a wide range of misconduct, including the existence of an ‘improper state of affairs’;[6]
  • provides protections to a wider range of people who make protected disclosures than were protected under the previous regime (that is, to an ‘eligible whistleblower’);[7]
  • provides protections to eligible whistleblowers on the basis that the disclosure was made to an ‘eligible recipient’ of the disclosure, which includes officers or senior managers (but not other employees) of the company, the company’s auditors, actuaries or another person authorised by the company. Similar recipients apply to superannuation entities.[8] The importance for corporations, in light of the detrimental consequences that can arise if a disclosure is handled in accordance with the Bill, is that this more senior and experienced cohort of staff will have this responsibility, rather than more junior staff;
  • allows anonymous disclosures;
  • excludes most disclosures of personal work-related grievances from protection (excluding tax matters).[9] This is a change that is welcomed, as it will ensure that the corporation must act on the disclosure only when the disclosure truly is whistleblowing as opposed to personal grievances that do not contravene section 1317AC of the Corporations Act;
  • allows for protected ’emergency’ or ‘public interest’ disclosures to be made to the media or members of Parliament in extreme cases (excluding tax matters), including that at least 90 days had passed since an earlier protected disclosure had been made and not been acted upon, or there will be substantial and imminent danger to someone’s health or safety;[10]
  • no longer requires that a whistleblower act in good faith to gain the benefit of the protections (that is, the whistleblower’s motivation is irrelevant and it will be sufficient that the person has objectively reasonable grounds to suspect misconduct or a contravention, or (more nebulously) an improper state of affairs or circumstances);[11]
  • expands the protections and redress available to whistleblowers who suffer reprisals, improving access to compensation;[12] and
  • provides a reverse onus of proof when a person seeks compensation, once they have established they have suffered detriment.[13]

The penalties have been significantly increased in relation to victimisation and breaches of the confidentiality obligation (see the table below).

Whistleblower policies: what you need to know

Importantly, the Whistleblower Bill requires all public companies and large proprietary companies to have a whistleblower policy in place.

The implementation period for public companies and registerable superannuation entities will be tight. The legislation comes into effect on the first of one of these dates: 1 January, 1 April, 1 July or 1 October, which occurs 3 months after Royal Assent is given. This is likely to be 1 July 2019. Large proprietary companies must have a whistleblower policy, no later than six months after a proprietary company first becomes a large proprietary company. The transitional provisions give a further six month period for the whistleblower policy to be in place (ie if the legislation commences 1 July 2019, the policy must be in place by 1 January 2020).[14]

A whistleblower policy must set out information about:

  • the protections available to whistleblowers;
  • the person/organisations to whom protected disclosures may be made, and how they can be made;
  • how the company will support whistleblowers and protect them from detriment;
  • how the company will investigate protected disclosures;
  • how the company will ensure fair treatment of employees of the company who are mentioned in protected disclosures, or to whom such disclosures relate;
  • how the policy is to be made available to officers and employees of the company; and
  • any other matters prescribed by the regulations.

Failure to comply with the requirement to implement a whistleblower policy is a strict liability offence with a penalty of 60 penalty units (currently $12,600 for individuals).[15]

Compliance burden

The changes bring about some areas of challenge, which affected organisations will have to address. These include:

  1. Internal resources who receive and investigate protected disclosures will need to consider carefully whether current processes for handling such information are appropriate given the very limited permitted grounds for disclosure for the purposes of investigating a matter.
  2. Additional training / communications will be required for ‘eligible recipients’ to ensure they know how to identify a whistleblower report and what to do if they receive one. While late revisions to the Bill limited the class of eligible recipients to ‘senior managers’, given some of the complexity defining who is a ‘senior manager’ (particularly for corporate groups), it may be prudent to take a more generous view of who could be receiving a protected disclosure and adapting leader training accordingly.
  3. There is some difficulty in scoping the detail which will be required to satisfy the whistleblower policy obligation. ASIC has indicated it will be will be issuing some guidance, preceded by a consultation process.[16] Corporations will face significant penalties if they get this aspect wrong in practice.
  4. Organisations that operate in multiple jurisdictions should consider whether a ‘one size fits all’ approach is truly appropriate, given there are key differences between the whistleblower protection regimes in jurisdictions.

Consequences of contravention

There will be significant penalties for corporations (and individuals) rising from contraventions of the legislation. These are set out in the table below:

Contravention Penalty
Civil Penalty provisions (Corporations Act)
Breach of confidentiality of identity of whistleblower
Victimisation or threatened victimisation of whistleblower
  • For an individual, 5,000 penalty units [$1.050M] or three times the benefit derived or detriment avoided; and
  • For a body corporate, 50,000 penalty units [$10.5M], three times the benefit derived or detriment avoided, or 10% of the body corporate’s annual turnover (up to 2.5 million penalty units [$525M]).
Criminal offences (generally Corporations Act and Taxation Administration Act)
Breach of confidentiality of identity of whistleblower For an individual…

  • Under the Corporations Act: 6 months imprisonment or 30 penalty units [$6,300] or both
  • Under the Taxation Administration Act: 6 months imprisonment or 60 penalty units [$12,600] or both
Victimisation or threatened victimisation of whistleblower For an individual…

  • Under the Corporations Act: 2 years imprisonment or 120 [$25,200] penalty units or both
  • Under the Taxation Administration Act: 2 years imprisonment or 240 penalty units [$50,400] or both
Failure to have whistleblower policy (Corporations Act only) 60 penalty units [$12,600]

[1] Corporations Act 2001 (Cth) s 1644(1), introduced by the Whistleblower Bill s 12.

[2] Corporations Act 2001 (Cth) s 1644(2), introduced by the Whistleblower Bill s 12.

[3] Corporations Act 2001 (Cth) s 1317AI(1), introduced by the Whistleblower Bill s 9.

[4] Corporations Act 2001 (Cth) s 1317AI(2), introduced by the Whistleblower Bill s 9.

A large proprietary company is currently defined in the Corporations Act 2001 (Cth) s 45A(3) as a proprietary company that satisfies at least two of the following in the financial year: (a) consolidated revenue $25 million or more; (b) gross assets of $12.5 million or more; (c) the company and any entities it controls have 50 or more employees. However, draft regulations were introduced for consideration in 2018 (Corporations Amendment (Proprietary Company Thresholds) Regulations 2018), which would double those thresholds, meaning that fewer proprietary companies would be subject to these obligations.

[5] The content as set out in Corporations Act 2001 (Cth) s 1317AI(5), introduced by the Whistleblower Bill s 9.

[6] Corporations Act 2001 (Cth) ss 1317AA and Taxation Administration Act 1953 (Cth) s 14ZZT, introduced by the Whistleblower Bill ss 2, 15.

[7] Eligible whistleblower is defined at Corporations Act 2001 (Cth) s 1317AAA and, at a high level, includes an entity’s officers, employees, contractors, associates and superannuation trustees. Also see Taxation Administration Act 1953 (Cth) s 14ZZU, introduced by the Whistleblower Bill s 15.

[8] Eligible recipient is defined at Corporations Act 2001 (Cth) s 1317AAC. Importantly, a ‘senior manager’ or ‘officer’ of a company – both concepts under the Corporations Act (section 9) – are a narrower class as compared with all employees, managers or supervisors of eligible whistleblowers. See also Taxation Administration Act 1953 (Cth) s 14ZZV, as introduced by the Whistleblower Bill s 15. This is a significant change from earlier drafts of the legislation, and should ensure that adequately responsible people have this responsibility, rather than it sitting with more junior employees.

[9] Corporations Act 2001 (Cth) ss 1317AADA, introduced by the Whistleblower Bill s 2.

[10] Corporations Act 2001 (Cth) ss 1317AAD, introduced by the Whistleblower Bill s 2.

[11] Corporations Act 2001 (Cth) ss 1317AA and Taxation Administration Act 1953 (Cth) s 14ZZT, introduced by the Whistleblower Bill ss 2, 15.

[12] Corporations Act 2001 (Cth) ss 1317AD, 1317AE and Taxation Administration Act 1953 (Cth) ss 14ZZZ, 14ZZZA, introduced by the Whistleblower Bill ss 9, 15.

[13] Ibid.
[14] Whistleblower Bill s12

[15] Corporations Act 2001 (Cth) s 1317AI, as introduced by the Whistleblower Bill ss 9, 15.